search

chokepoint / azazel

Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.
GNU General Public License v2.0
767 stars 177 forks source link

Cannot get working #2

Closed DrDinosaur closed 10 years ago

DrDinosaur commented 10 years ago

root@cp-ub10-01:~# git clone https://github.com/chokepoint/azazel.git Initialized empty Git repository in /root/azazel/.git/ remote: Counting objects: 44, done. remote: Compressing objects: 100% (37/37), done. remote: Total 44 (delta 14), reused 37 (delta 7) Unpacking objects: 100% (44/44), done. root@cp-ub10-01:~# cd azazel/ root@cp-ub10-01:~/azazel# ls azazel.c azazel.h client.c config.py const.h crypthook.c crypthook.h LICENSE Makefile pam.c pcap.c pcap.h README.md xor.c xor.h root@cp-ub10-01:~/azazel# make cc -fPIC -g -c azazel.c pam.c xor.c crypthook.c pcap.c pam.c:8:31: error: security/pam_appl.h: No such file or directory pam.c:9:34: error: security/pammodules.h: No such file or directory pam.c:16: error: expected ‘)’ before ‘’ token pam.c:36: error: expected ‘)’ before ‘’ token pam.c:103: error: expected ‘)’ before ‘’ token pam.c:123: error: expected ‘)’ before ‘_’ token crypthook.c:11:25: error: openssl/evp.h: No such file or directory crypthook.c:12:25: error: openssl/sha.h: No such file or directory crypthook.c:13:26: error: openssl/rand.h: No such file or directory crypthook.c: In function ‘gen_key’: crypthook.c:42: warning: incompatible implicit declaration of built-in function ‘free’ crypthook.c: In function ‘encrypt_data’: crypthook.c:63: error: ‘EVP_CIPHER_CTX’ undeclared (first use in this function) crypthook.c:63: error: (Each undeclared identifier is reported only once crypthook.c:63: error: for each function it appears in.) crypthook.c:63: error: ‘ctx’ undeclared (first use in this function) crypthook.c:78: error: ‘EVP_CTRL_GCM_GET_TAG’ undeclared (first use in this function) crypthook.c: In function ‘decrypt_data’: crypthook.c:115: error: ‘EVP_CIPHER_CTX’ undeclared (first use in this function) crypthook.c:115: error: ‘ctx’ undeclared (first use in this function) crypthook.c:120: error: ‘EVP_CTRL_GCM_SET_IVLEN’ undeclared (first use in this function) crypthook.c:127: error: ‘EVP_CTRL_GCM_SETTAG’ undeclared (first use in this function) pcap.c:1:23: error: pcap/pcap.h: No such file or directory In file included from pcap.c:4: azazel.h:23: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘’ token In file included from pcap.c:5: pcap.h:8: error: expected ‘)’ before ‘_’ token pcap.h:9: warning: ‘struct pcap_pkthdr’ declared inside parameter list pcap.h:9: warning: its scope is only this definition or declaration, which is probably not what you want pcap.h:10: warning: ‘struct pcap_pkthdr’ declared inside parameter list pcap.c:7: warning: ‘struct pcap_pkthdr’ declared inside parameter list pcap.c:7: error: conflicting types for ‘got_packet’ pcap.h:10: note: previous declaration of ‘got_packet’ was here pcap.c: In function ‘got_packet’: pcap.c:27: warning: passing argument 2 of ‘old_callback’ from incompatible pointer type pcap.c:27: note: expected ‘const struct pcappkthdr ’ but argument is of type ‘const struct pcap_pkthdr ’ pcap.c:47: warning: passing argument 2 of ‘old_callback’ from incompatible pointer type pcap.c:47: note: expected ‘const struct pcap_pkthdr ’ but argument is of type ‘const struct pcappkthdr *’ pcap.c: At top level: pcap.c:54: error: expected ‘)’ before ‘’ token make: *\ [libselinux.so] Error 1 root@cp-ub10-01:~/azazel#

and on Kali:

root@Kali:~# git clone https://github.com/chokepoint/azazel.git Cloning into 'azazel'... remote: Counting objects: 44, done. remote: Compressing objects: 100% (37/37), done. remote: Total 44 (delta 14), reused 37 (delta 7) Unpacking objects: 100% (44/44), done. root@Kali:~# cd azazel/ root@Kali:~/azazel# make cc -fPIC -g -c azazel.c pam.c xor.c crypthook.c pcap.c pam.c:8:31: fatal error: security/pam_appl.h: No such file or directory compilation terminated. make: *\ [libselinux.so] Error 1 root@Kali:~/azazel#

Any ideas?

DrDinosaur commented 10 years ago

root@Kali:~/azazel# ls azazel.c client.c crypthook.c libselinux.so pam.c pcap.h xor.c azazel.h config.py crypthook.h LICENSE pam.o pcap.o xor.h azazel.o const.h crypthook.o Makefile pcap.c README.md xor.o root@Kali:~/azazel# LD_PRELOAD=/lib/libselinux.so bash -l ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. root@Kali:~/azazel# clear ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored.

root@Kali:~/azazel# make install ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. [-] Initiating Installation Directory /lib ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. [-] Installing azazel ERROR: ld.so: object '/lib/libselinux.so' from LD_PRELOAD cannot be preloaded: ignored. [-] Injecting azazel

root@Kali:~/azazel# strace -p 3141 Don't scratch the walls root@Kali:~/azazel# strace -p 32341234 Don't scratch the walls

I might have this running, but I'm not sure. I can't seem to connect to the backdoor (this is on another Kali machine):

root@Kali:~# ncat 192.168.1.104 22 -p 61040 Ncat: Connection refused. root@Kali:~# ncat 192.168.1.104 -p 61040 Ncat: Connection refused.

I'm probably just doing something really dumb. Sorry, but I'm not very good at this. Any help would be excellent. Thanks.

codemunchies commented 10 years ago

Google is your friend:

Your first issue with missing security/pam_appl.h, the solution will depend on your package management tool but here are two common ones. You're missing pam development files, using RPM run yum whatprovides '*/security/pam_appl.h' using APT-GET run apt-file search '*/security/pam_appl.h'. Make sure you update your databases before running these commands, they will tell you what package to install in order to provide the files that are missing.

Your second issue with LD_PRELOAD cannot be preloaded, you're assuming that this will run like a typical binary from your working directory. The command you're running LD_PRELOAD=/lib/libselinux.so bash -l assumes the compiled libselinux.so file is stored in /lib/libselinux.so so you'll need to copy it there first before trying to preload.

If you can't figure it out with this info ask Google. http://bit.ly/1j53udx

DrDinosaur commented 10 years ago

Okay thanks, I fixed those errors now. Could someone explain the backdoors and how hooking for that works exactly? I am looking at the documentation, but I'm not understanding it well. Thank you.

chokepoint commented 10 years ago

Yes sir, the non PAM, accept backdoors work by intercepting the accept() system call from daemons listening on the system. Before returning a file descriptor to the application, Azazel checks the source port of the remote hosting requesting the connection. If the source port is within LOW_PORT / HIGH_PORT or CRYPT_LOW / CRYPT_HIGH respectively, it silently accepts the connection and listens to the remote host for the hidden shell's password. If the password is correct, the user is rewarded with a shell.

Now, in order to set the hooks into a daemon, you need to restart that service to ensure that it uses Azazel's hooked accept() call. I'm marking this issue as closed, but feel free to comment back on this thread if you have any more questions.

DrDinosaur commented 10 years ago

Thanks for the reply- I think I am understanding it a bit more now. In the documentation, it says "For each of these examples we are assuming that sshd is hooked with azazel and able to trigger any of the three operational backdoors." How do I hook into SSH? Also it seems I can't start or restart the SSH service for some reason. On my attacking Kali machine:

root@Kali:~# service ssh start [ ok ] Starting OpenBSD Secure Shell server: sshd. root@Kali:~# service ssh stop [ ok ] Stopping OpenBSD Secure Shell server: sshd. root@Kali:~#

On the Kali machine with the rootkit:

root@Kali:~# service ssh start root@Kali:~# service ssh stop root@Kali:~#

I tried using port 21 where the FTP service is running, but it didn't give me the shell I wanted. Perhaps because it isn't "hooked": root@Kali:~# ncat 192.168.1.104 21 -p 61040 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 15:46. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity.

Even restarting the daemon: root@Kali:~# service pure-ftpd restart root@Kali:~#

Makes no difference. Thanks.

chokepoint commented 10 years ago

You fully installed the kit and injected it using /etc/ld.so.preload? Alternatively you can manually hook different daemons by using the LD_PRELOAD environment variable, but this can be messy.

DrDinosaur commented 10 years ago

Well I ran "make install" and that worked well I think. I believe I also ran "LD_PRELOAD=/lib/libselinux.so bash -l"

manofring commented 10 years ago

ok, i'm succesfully installed azazel, but connect not work, for example ncat 192.168.20.250 22 -p 61050 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1 changeme Protocol mismatch. any idea?

chokepoint commented 10 years ago

Which distro are you using?

manofring commented 10 years ago

Im try debian7 64bit (proxmox), debian7 i386 30.07.2014 18:36 пользователь "Chokepoint" notifications@github.com написал:

Which distro are you using?

— Reply to this email directly or view it on GitHub https://github.com/chokepoint/azazel/issues/2#issuecomment-50623016.

eyes0re commented 9 years ago

I too, am interested in hooking individual daemons. I installed everything correctly(far as I can tell) with no errors, but I am having issues connecting to a backdoor. I would like to try to hook to sshd. If I am reading the documentation correctly, I restart the sshd service and LD_PRELOAD=/lib/libselinux.so ssh ?